CISA: APTs exploiting Fortinet FortiOS vulnerabilities

Advanced persistent threat actors may be exploiting multiple Fortinet FortiOS vulnerabilities, according to a joint cybersecurity advisory published Friday by the FBI and the Cybersecurity and Infrastructure Security Agency.

According to the advisory, the two agencies observed unnamed APT actors scanning devices for three different vulnerabilities that affected FortiOS, Fortinet's central security operating system. The vulnerabilities include CVE-2018-13379, a path traversal vulnerability (Common Vulnerability Scoring System base score of 9.8); CVE-2020-12812, an improper authentication vulnerability (CVSS base score of 9.8); and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5).

CVE-2020-12812, the most recent vulnerability, was patched in July 2020, and the other two were patched in mid-2019.

CVE-2018-13379 in particular has been subject to exploitation since its discovery in 2018. The U.S. National Security Agency warned about the vulnerability being exploited by nation-state hackers in 2019. In October 2020, a joint CISA/FBI advisory about federal, state and local U.S. government networks being targeted mentioned the vulnerability.

The FBI and CISA specifically called out commercial, government and technology services networks as likely targets, and mentioned data encryption and data exfiltration as possible follow-on attacks once the attackers gain access to a victim network.

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques -- such as spearphishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks," the advisory read.

The agencies offered a dozen mitigations for organizations, including patching the vulnerabilities, implementing multifactor authentication and creating regular backups.

CISA declined to comment on whether the APTs are working on behalf of a nation-state, and which nation-state that might be.

Fortinet field chief technology officer Carl Windsor published a blog post Saturday in response to the joint advisory, writing that while Fortinet has already resolved the vulnerabilities and continued to educate customers, "the joint advisory from FBI and CISA that posted on April 2, 2021, provides evidence that there are still unpatched devices in the wild being abused, and highlights the risk of end users not proactively updating appliances."

SearchSecurity asked Fortinet if the company has seen APTs exploiting these vulnerabilities, as well as the number of vulnerable customers remaining. The security vendor declined to respond directly. Instead, a spokesperson provided the following statement.

"The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020. To get more information, please visit our blog and immediately refer to the May 2019 advisory. If customers have not done so, we urge them to immediately implement the upgrade and mitigations," the statement read.

Alexander Culafi is a writer, journalist and podcaster based in Boston.